Researchers observed the re-emergence of the SharkBot trojan targeting Android users. Specifically, they discovered a new SharkBot malware variant exhibiting more malicious functionalities. Users must remain careful when downloading apps from unknown or untrusted developers, even from the Play Store.
More Potent SharkBot Malware Variant Surfaces Online
Researchers from Fox-IT have discovered a new SharkBot malware variant in the wild infecting the Play Store.
As elaborated, the SharkBot version 2.25 caught Fox-IT’s attention when communicating with its previous servers. The researchers, however, observed the malware exhibiting new properties.
SharkBot malware first surfaced online earlier this year, behaving as a potent Android trojan. It impersonated numerous legit apps. Since then, numerous SharkBot variants have continues to emerge, executing different activities.
Specifically, the recent SharkBot variant looks unique as it now can steal session cookies. Hence, this malware now threatens users’ account security as well.
Unlike its predecessor, the new malware dropper doesn’t use the Accessibility service to install the trojan. Instead, it tricks the user into downloading the malware by creating false notifications for app updates.
For example, in the campaign detected by Fox-IT, the malware existed on the Play Store via two fake Android cleaner and antivirus apps – Mister Phone Cleaner and Kylhavy Mobile Security. Initially, the apps successfully made it to the Play Store as they appeared harmless. However, the developers later rolled out the malware as app updates to the infected devices.
While this user interaction-dependent strategy eliminates automation, it is more beneficial for the threat actors to escape Google’s security checks. The malware dropper directly requests the malware APKs from the server, installing them onto the target devices. Additionally, the new SharkBot variant excludes the ‘Direct Reply’ feature, ensuring no detection due to suspicious permissions.
Other than stealing cookies, the other prominent functionalities of SharkBot 2.25 include overlay attacks, keylogging, SMS interception, and remote control.
Detailed technical analysis of the malware is available in the researchers’ post.
Malicious Apps Now Removed
Following this discovery, researchers informed Google about the malicious apps, after which the tech giant removed the apps from the Play Store.
Since both the apps have numerous downloads, the malware may continue to exist on infected devices, threatening the victim’s and other users’ security. Therefore, users who may have downloaded Kylhavy Mobile Security or Mister Phone Cleaner should uninstall the apps immediately and scan their devices with a robust antimalware.
To avoid such attacks in the future, users must stick to downloading apps from known, legit developers only, even when on the Play Store.